Recently, the China's largest Chinese IT community website named CSDN leaked its user's account information. Later today CSDN made an announcements to its users on their website. The announcement said that some user account information was leaked and the passwords of the accounts were stored as plain text in their database before 2009, and after 2009, they adopted an encryption algorithm to encrypt user password. They urged all users who registered the account before 2009 to change their password immediately.

After reading this news, I was shocked. How come an IT website stores passwords in plain text format? The reason they gave for using the plain text is because of the connection between the accounts and a third-party chatting system. Is this reason acceptable? The No.1 requirement for a website is its security, if you cannot provide the basic security to your users, even if you have the best contents in the world, you will just drive your users away. As we know, when we start to develop any kind of software of web applications, we need to consider security at the beginning, we need to take security seriously whenever we design and implement a project.

As I know, CSDN was released in 1999, and the passwords were encrypted only in and after 2009 as their announcement said, it means that in 10 years, all user's passwords are stored in plain text format. As of today the CSDN alexa rank is 235, we can imagine that there are millions of users have registered on   CSDN. All these users accounts may be in danger, much worse for those who use this account to register on other websites, they need to change all their account's password on other websites.

I doubt that CSDN is not the only website which stores password as plain text. But I hope that in the future, less and less websites made similar mistakes. We need a safe web community so that we can share our life with no worry.